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Claims 

[d] 1. A method for detecting intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, said 
method as implemented in said host comprising the 
steps of: 

a. monitoring said data entities via comparing a locally 
stored copy of a digital signature associated with each 
data entity against a corresponding digital signature 
stored in a first remote database; and 

b. upon identifying a mismatch in compared digital sig- 
natures, issuing an instruction to record an entry in a log 
file located in a second remote database, said entry 
identifying a possible intrusion in said host. 

[c2] 2. A method for detecting intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, as per 
claim 1, wherein said host communicates with said first 
and second remote databases via one or more network 
interfaces and, subsequent to step (b), said method fur- 
ther comprises the step of issuing a command to bring 
down said one or more network interfaces to isolate said 



host. 

[c3] 3. a method for detecting intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, as per 
claim 1, wherein, subsequent to step (b), said method 
further comprises the step of issuing a command to an 
operating system of host to bring said host to a single 
user state. 

[c4] 4. a method for detecting intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, as per 
claim 1, wherein said first remote database and said sec- 
ond remote database are located on a single server or a 
plurality of servers belonging to a local area network. 

[c5] 5. A method for detecting intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, as per 
claim 1, wherein communications between said host and 
first remote database are encrypted. 

[c6] 6. A method for detecting intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, as per 
claim 1, wherein communications between said host and 



second remote database are encrypted. 

[c7] 7. a method for detecting intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, as per 
claim 1, wherein said digital signature is an MD5 signa- 
ture and said first remote database is an MD5 database. 

[c8] 8. A method for detecting intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, as per 
claim 1, wherein said second remote database is a SYS- 
LOG database. 

[c9] g. a method for detecting intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, as per 
claim 1, wherein said data entities are any of the follow- 
ing: system files, configuration files, or directories. 

[do] io. A system to detect intrusion comprising: 

a. a host running a monitoring daemon working in con- 
junction with a configuration file, said configuration file 
identifying files and directories to be monitored in said 
host and said host communicating with external net- 
works via one or more network interfaces, said monitor- 
ing daemon dynamically monitoring said files and direc- 



tories identified by said configuration file by comparing 
a locally stored digital signature corresponding to each 
file or directory against a remotely stored corresponding 
digital signature; 

b. a digital signature database remote from said host 
storing said digital signatures associated with files and 
directories identified by said configuration file; and 

c. a log database remote from said host recording en- 
tries corresponding to mismatches between a digital sig- 
nature stored in said host and a corresponding digital 
signature in said digital signature database. 

[c11] 11. A system to detect intrusion as per claim 10, wherein 
said first remote database and said second remote 
database are located on a single server or a plurality of 
servers belonging to a local area network. 

[d2] 12. A system to detect intrusion as per claim 10, wherein 
communications between said host and said digital sig- 
nature database are encrypted. 

[d3] 13. a system to detect intrusion as per claim 10, wherein 
communications between said host and log database are 
encrypted. 

[d4] 14. a system to detect intrusion as per claim 10, wherein 
said digital signature is an MD5 signature and said first 



remote database is an MD5 database. 

[d5] 15. An article of manufacture comprising a computer us- 
able medium having computer readable program code 
embed therein to detect intrusion in a host via a moni- 
toring daemon operating in conjunction with a configu- 
ration file defining data entities to be monitored, said 
medium comprising: 

a. computer readable program code monitoring said data 
entities via comparing a locally stored copy of a digital 
signature associated with each data entity against a cor- 
responding digital signature stored in a first remote 
database; and 

b. upon identifying a mismatch in compared digital sig- 
natures, computer readable program code issuing an in- 
struction to record an entry in a log file located in a sec- 
ond remote database, said entry identifying a possible 
intrusion in said host. 

[d6] 16. An article of manufacture as per claim 15, wherein 
said host communicates with said first and second re- 
mote databases via one or more network interfaces and 
said medium further comprises computer readable pro- 
gram code issuing a command to bring down said one or 
more network interfaces to isolate said host. 

[d7] 17. An article of manufacture, as per claim 15, wherein 



said method further comprises the step of issuing a 
command to an operating system of host to bring said 
host to a single user state. 

[d8] 18. An intrusion detection and isolation method imple- 
mented using a monitoring daemon in a host, said host 
having one or more network interfaces to communicate 
over one or more networks, said method comprising the 
steps of: 

a. reading a configuration file to identify data entities to 
be monitored on a host; 

b. for each data entity to be monitored, extracting a dig- 
ital signature from said host; 

c. for each data entity to be monitored, querying a re- 
mote digital signature database via said one or more 
network interfaces and requesting a digital signature 
corresponding to said digital signature extracted from 
said host; 

d. for each data entity to be monitored, receiving said 
corresponding digital signature from said remote digital 
signature database; 

e. matching digital signature received from said remote 
digital signature database with digital signature ex- 
tracted at said host; 

f. upon identifying a mismatch, transmitting an instruc- 
tion to a remote log database via said one or more net- 



work interfaces, said instruction executed in said remote 
log database to record an entry in a log file indicating a 
possible intrusion in said host; and 
g. performing any one of, or a combination of, the fol- 
lowing steps: 

(i) issuing a command to bring down said one or more 
network interfaces to isolate said host; or 

(ii) issuing a command to an operating system of host to 
bring said host to a single user state. 

[d9] 19. An intrusion detection and isolation method imple- 
mented using a monitoring daemon in a host, as per 
claim 18, wherein said digital signature database and 
said log database are located on a single server or a plu- 
rality of servers belonging to a local area network. 

[c20] 20. An intrusion detection and isolation method imple- 
mented using a monitoring daemon in a host, as per 
claim 18, wherein communications between said host 
and digital signature database are encrypted. 

[c21] 21. An intrusion detection and isolation method imple- 
mented using a monitoring daemon in a host, as per 
claim 18, wherein communications between said host 
and log database are encrypted. 

[c22] 22. An intrusion detection and isolation method imple- 



merited using a monitoring daemon in a host, as per 
claim 18, wherein said digital signature database is an 
MD5 database. 

[c23] 23. An intrusion detection and isolation method imple- 
mented using a monitoring daemon in a host, as per 
claim 18, wherein said log database is a SYSLOG 
database. 

[c24] 24. An intrusion detection and isolation method imple- 
mented using a monitoring daemon in a host, as per 
claim 18, wherein said data entities are any of the fol- 
lowing: system files, configuration files, or directories. 



